b'U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n\n            AUDIT REPORT\n\n\n         MAINFRAME COMPUTER\n      POLICIES AND PROCEDURES,\n    ADMINISTRATIVE SERVICE CENTER,\n       BUREAU OF RECLAMATION\n\n              REPORT NO. 97-I-683\n                 MARCH 1997\n\x0c\x0c                                          GLOSSARY\n\n\nAsynchronous Protocol. Refers to a set of conventions used to start and stop transmissions that\noccur without a regular or predictable time relationship to a specific event. Synchronous protocol\nrefers to a set of conventions used for transmissions that occur regularly or predictably with respect\nto a specific event.\n\nCustomer Information Control System (CICS). This is an IBM software product that serves as\na teleprocessing monitor for the MVS operating system on the Service Center\xe2\x80\x99s mainframe\ncomputers, which enables transactions entered at remote computer terminals to be processed\nconcurrently and is designed to control execution of application programs in an interactive on-line\nenvironment.\n\nData Structure. How the data are physically laid out within a computer system (for example, the\nfields in a record).\n\nEthernet. A networking scheme that allows microcomputers to be connected to a network. It\nphysically consists of cabling, which connects all the machines on a network.\n\nMultiple Virtual Storage/Enterprise Systems Architecture (MVWESA). An operating system\nthat runs on IBM mainframe computers and increases virtual memory capability to 16 terabytes\n(trillion bytes),\n\nResource Access Control Facility (RACF). An IBM-licensed product that provides for access\ncontrol by identifying and verifying users to the system, authorizing access to protected resources,\nlogging detected unauthorized attempts to enter the system, and logging detected accesses to\nprotected resources.\n\nTime Sharing Option (TSO). A system software product that serves as the session manager on the\nmainframe computers whereby terminal users can submit jobs on-line. Time sharing allows a number\nof users to execute programs concurrently and to interact with the programs during execution.\n\nTransmission Control Protocol/Internet Protocol. The system that networks use to communicate\nwith each other by allowing traffic to be routed from one network to another. The Internet Protocol\nis a set of conventions used to pass packets (that is, a cluster of data) from one network to another.\n\x0c                                                                              A-IN-BOR-001-96\n\n\n                United States Department of the Interior\n                              OFFICE OF INSPECTOR GENERAL\n                                     Washington, D.C. 20240\n\n\n\n\n                                    AUDIT REPORT\nMemorandum\n\nTo:                          for Water and Science\n\nFrom:\n         Assistant Inspector General for Audits\n\nSubject: Audit Report on Mainframe Computer Policies and Procedures, Administrative Service\n         Center, Bureau of Reclamation (No. 97-I-683)\n\n                                   INTRODUCTION\nThis report presents the results of our audit of mainframe computer policies and procedures at the\nBureau of Reclamation\xe2\x80\x99s Administrative Service Center. The objective of the audit was to evaluate\nthe adequacy of the management and internal controls of the Service Center\xe2\x80\x99s mainframe computer\nsystem and its processing environment. Specifically, the audit focused on management and internal\ncontrols over the following areas: computer center management and operations; telecommunications\nand local area network (LAN) security; application systems access; mainframe computer system\nphysical and logical security; and contingency planning, backup, and disaster recovery.\n\nBACKGROUND\n\nThe Bureau of Reclamation\xe2\x80\x99s Administrative Service Center in Denver, Colorado, provides: (1)\nconsolidated payroll and personnel services for about 106,000 employees in the Department of the\nInterior and five other Federal agencies and (2) Government accounting, integrated budgeting, and\nreporting services through the Federal Financial System (FFS) to five Departmental and five other\nFederal agencies.\n\nAt the time of our review, payroll and personnel services were provided through the\nPayroll/Personnel System (PAY/PERS). However, the Service Center was developing a new\npersonnel/payroll system, the Federal Personnel Payroll System (FPPS). The first phase of the new\nsystem, which has been implemented, is the SF-52 System (an SF-52 form is entitled \xe2\x80\x9cRequest for\nPersonnel Action\xe2\x80\x9d). The second phase, which consists of personnel actions and payroll processing,\nis scheduled for implementation beginning in September 1997. The Service Center was also to\nprovide payroll and personnel services to an additional 65,000 Social Security Administration\nemployees beginning in October 1997.\n\x0cThe Service Center\xe2\x80\x99s ADP Services Division is responsible for managing the computer center that\nprovides the various services. To assist the Division in carrying out its functions, the Service Center\nhas contracted Tri-Cor to provide staff to assist in operating and maintaining the computer systems\nsoftware, communications, and LANs. The computer center provides data processing support for\n\nthe computer center operates an IBM mainframe computer that runs Multiple Virtual Storage (MVS)\nExtended Systems Architecture operating system to manage the processing work load. The access\ncontrol security software installed on the mainframe computer is the Resource Access Control Facility\n(RACF), which controls user access not only to the application systems, such as the Customer\nInformation Control System applications, but also to the Time Sharing Option (TSO) facility. The\nFFS contains application level security that controls the action a user may invoke. Other system\nsoftware, such as other data base management software, telecommunications software, and\nspecialized vendor software products, also resides on the mainframe computers. Network and local\ncommunications support for both asynchronous and synchronous protocols are provided, as well as\nLAN connectivity, through Ethernet and Transmission Control Protocol/Internet Protocol. (The\nspecific computer system software and network communications cited are detailed in the Glossary.)\n\nSCOPE OF AUDIT\n\nTo accomplish our objective, we interviewed Service Center and Tri-Cor personnel, reviewed systems\ndocumentation, observed and became familiar with computer center operations and data structures,\nanalyzed system security, and observed a disaster recovery test. In addition, we reviewed the\nsoftware maintenance procedures. Because our review was limited to evaluating the adequacy of\ninternal controls at the Service Center, we did not test the effectiveness of the internal controls at the\nvarious bureaus and agencies serviced by the Service Center.\n\nOur audit, which was conducted during June through October 1996, was made in accordance with\nthe \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued by the Comptroller General of the United States.\nAccordingly, we included such tests of records and other auditing procedures that were considered\nnecessary under the circumstances.\n\nAs part of our audit, we evaluated the Service Center\xe2\x80\x99s system of internal controls over its mainframe\ncomputer system that could adversely affect the data processing environment, The control\nweaknesses that we found are discussed in the Results of Audit section and in Appendix 1 of this\nreport. If implemented, our recommendations should improve the management and internal controls\nin the areas cited.\n\n\n\n\nany information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national\ninterest or the conduct of federal programs, or the privacy to which individuals are entitled under the Privacy Act, but which\nhas not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret\nin the interest of national defense or foreign policy.\xe2\x80\x9d\n\n                                                              2\n\x0cPRIOR AUDIT COVERAGE\n\nDuring the past 5 years, the General Accounting Office has not issued any reports related to the scope\nof this audit. However, in March 1994, the Office of Inspector General issued the report\n\xe2\x80\x9cCompliance With the Computer Security Act of 1987, Denver Administrative Service Center,\nBureau of Reclamation\xe2\x80\x9d (No. 94-I-357). The report stated that the Service Center generally complied\nwith requirements of the Computer Security Act of 1987 but that improvements were needed in the\nareas of security and operations. Since the Service Center was addressing all of the deficiencies\nidentified, no recommendations were made. However, deficiencies in performing a risk analysis of\nthe Service Center\xe2\x80\x99s LANs and in the separation of duties within RACF software still existed during\nour review. These issues are discussed in the Results of Audit section and in Appendix 1 of this\nreport.\n\n                                  RESULTS OF AUDIT\n\nThe Bureau of Reclamation\xe2\x80\x99s Administrative Service Center has weaknesses in management and\ninternal controls in five major areas: (1) computer center management and operations; (2) LAN\nprotection; (3) FFS application; (4) computer mainframe system physical and logical security; and (5)\ncontingency planning, backup, and disaster recovery. Office of Management and Budget Circular A-\n130, \xe2\x80\x9cManagement of Federal Information Systems,\xe2\x80\x9d and the National Institute of Standards and\nTechnology Federal Information Processing Standards Publications require Federal agencies to\nestablish and implement computer security and management and internal controls to improve the\nprotection of sensitive information in the computer systems of \xe2\x80\x98executive branch agencies.\nAdditionally, the Congress enacted laws, such as the Privacy Act of 1974 and the Computer Security\nAct of 1987, to improve the security and privacy of sensitive information in computer systems by\nrequiring executive branch agencies to ensure that the level of computer security and controls is\nadequate. However, the Service Center has not complied with these criteria in that it did not\ndocument formal policies, standards, and procedures; follow proper practices and processes;\nsegregate duties; comply with key software vendor guidelines for MVS integrity; and develop a\nformal, up-to-date, comprehensive data security program. These weaknesses increase the risk of\nunauthorized access and modifications to and disclosure of client-sensitive data supported by the\nService Center\xe2\x80\x99s mainframe computer; theft or destruction of hardware, software, and sensitive\ninformation; and the loss of critical systems and functions in the event of a disaster.\n\nOverall, we identified 15 weaknesses and made 24 recommendations for improving management and\ninternal controls at the Service Center. The weaknesses within the five major areas are provided\nbelow, and specific details of the weaknesses and our respective recommendations to improve these\nweaknesses are in Appendix 1.\n\x0cComputer Center Management and Operations\n\nWe found that contractor employees in critical positiorx did not have proper background clearances,\nWithout knowledge of security-related background information on contractor personnel, the risk is\nincreased for Service Center\xe2\x80\x99s sensitive systems to be compromised. We made one recommendation\nto address this weakness.\n\nLAN Protection\n\nWe found that the Service Center could improve controls in administering and managing its LAN.\nImproved controls were needed in the areas of intruder detection lockout settings, disaster recovery,\nand user access. Because of the weak controls, the risk is increased for Service Center personnel to\nhave unauthorized access to the mainframe computer and thus to sensitive payroll and accounting\ndata. We made five recommendations to address these weaknesses.\n\nFFS Application\n\nWe found that access controls in the FFS application software would not prevent Service Center\nusers from generating unauthorized disbursements. Specifically, several users had access to vendor\ntables, which could result in the tables being changed and disbursing documents being affected. We\nmade one recommendation to correct this weakness,\n\nMainframe Computer System Physical and Logical Security\n\nWe found that the Service Center did not always comply with Circular A- 130 or the Department of\nthe Interior\xe2\x80\x99s \xe2\x80\x9cInformation System Security Handbook.\xe2\x80\x9d Also, the Service Center did not implement\ncontrols recommended in software vendor guidelines and generally accepted information system\nindustry practices in administering and implementing operating system and access security software\non its mainframe computers. These weaknesses were in the areas of physical security, password\nsettings, System Management Facility (SMF) logs, multiple user identification (ID) codes, ADP\naccess levels, separation of duties in the use of RACF security controls, and computer security plans.\nAs a result, sensitive data maintained on the Service Center\xe2\x80\x99s computer were vulnerable to\nunauthorized access and change. We made 14 recommendations to address weaknesses in these\nareas.\n\nContingency Planning, Backup, and Disaster Recovery\n\nWe found weaknesses in the Service Center\xe2\x80\x99s contingency planning, backup, and disaster recovery\nfor its sensitive systems and mainframe computing environment. Specifically, rather than relying on\ndocumented procedures, the Service Center relied upon individuals\xe2\x80\x99 knowledge. We also found that\nthe Service Center did not have a documented comprehensive business recovery plan. As a result, in\n\n\n                                                  4\n\x0cthe event of a disaster, the Service Center may not be able to recover critical systems and business\nfunctions. We made three recommendations to address these weaknesses.\n\nBureau of Reclamation Response and Office of Inspector General Reply\n\nIn the March 24, 1997, response (Appendix 2) from the Commissioner, Bureau of Reclamation, to\nour draft report, the Bureau generally concurred with 23 of our 24 recommendations. Based on the\n\n\n0.1 resolved but not implemented; and Recommendation L. 1 unresolved. Accordingly, the\nunimplemented recommendations will be referred to the Assistant Secretary for Policy, Management\nand Budget for tracking of implementation, and the Bureau is requested to reconsider the unresolved\nrecommendation (see Appendix 3). While the Bureau\xe2\x80\x99s response generally concurred with the\nrecommendations, except for Recommendation L. 1, the response did take issue with several\nstatements regarding our recommendations, which we have addressed as follows:\n\n         - Recommendation L.1. The Bureau said that it \xe2\x80\x9cdisagree[d]\xe2\x80\x9d with the recommendation and\nthat it \xe2\x80\x9cquestion[ed] any adverse effect as well as any benefit from retroactively requiring additional\ndocumentation [to ensure that Decentralized Security Administration Facility records are updated for\noral access adjustments]. While we did not question the validity of oral requests for access to the\nmainframe computer systems, we did recommend that these requests and approvals be documented\nin Facility records to allow reconciliation between access requested and access allowed to ensure that\naccess is assigned at the appropriate level. Accordingly, the Bureau should reconsider its response\nto this recommendation.\n\n         - Recommendation F.1. While the Bureau said that it has complied with the recommendation,\nit stated that the problem was \xe2\x80\x9ccurrency of documentation\xe2\x80\x9d and not a problem of physical security\nbecause two levels of security control occur before personnel are allowed entry into the computer\nrooms. We agree that two levels of security control had to be passed through to enter the computer\nroom. However, the Service Center had \xe2\x80\x9cgeneric\xe2\x80\x9d key cards that were issued to and used by vendors\nand building management personnel for access to the computer rooms. Thus there was little\nassurance that only specific people had use of the key card to gain access to the computer rooms.\n\n        - Recommendation G.2. While the Bureau said that it concurred with the intent of the\nrecommendation, it stated in its response that the 180-day password interval for RACF security\napplied to only one application, the Automated SF 52 System. The Bureau stated that the \xe2\x80\x9cextended\ninterval\xe2\x80\x9d was requested by the users and approved by the Bureau\xe2\x80\x99s Security Ma.nager. It further\ndisagreed with our assertion that \xe2\x80\x9cnot all mainframe applications have access security.\xe2\x80\x9d We disagree\nwith these statements. First, the Automated SF 52 System is not the only application residing on the\nmainframe. The mainframe also houses the PAY/PERS and the Federal Financial System, both\nsensitive applications. Further, at the time the Service Center received approval for the 180-day\npassword interval in June 1994, the PAY/PERS was not residing on the mainframe. Second, the\nPAY/PERS does not have adequate security within the application; thus it relies exclusively on\n\n                                                   5\n\x0cRACF security to control access. As such, by default, users to the mainframe applications have 180-\nday password settings.\n\n         - Recommendation K.1. While the Bureau concurred with the recommendation, it disagreed\nthat the condition was caused by the limited number of staff assigned to the group for monitoring\nsecurity. The Bureau stated, \xe2\x80\x9cThis information does not represent the ASC [Administrative Service\nCenter] position.\xe2\x80\x9d During our review, we found that the group did not have an adequate number of\nstaff or that the work load was distributed to ensure that the segregation of duties was adequate.\n\n        - Recommendation N.1. While the Bureau concurred with the recommendation, it stated that\n\xe2\x80\x9cthis condition should have been more appropriately stated as a currency of documentation issue\xe2\x80\x9d\nbecause the Administrative Service Center \xe2\x80\x9chas addressed recovery of the Federal Financial System\nand telecommunications although not formally documented.\xe2\x80\x9d We disagree. By not including the\nFederal Financial System and telecommunications in the Continuity of Operations Plans, there is little\nassurance that the Federal Financial System and telecommunications would be addressed and\nrecovered during the testing of the plan or in the event of a disaster. Further, during our review of\na disaster recovery test, the Federal Financial System was not included in any of the tests performed\nby the Service Center.\n\nAdditional Comments on Audit Report\n\nIn its response, the Bureau disagreed with our use of \xe2\x80\x9cgenerally accepted industry and information\nsystem standards\xe2\x80\x9d as acceptable criteria, stating that \xe2\x80\x9ca conclusive set of standards were not available\nand the auditors were not aware as to whether these standards had ever been issued as official\nGovernment-wide policy.\xe2\x80\x9d The Bureau further stated that the Department\xe2\x80\x99s Office of Information\nResources Management had likewise advised that it was unaware of these standards and of their\napplicability to Departmental organizations,\n\nHowever, computer and information system audit guidelines that were used by the auditors in\nperforming the audit are those that are also used by other Federal Government and private industry\nauditors and computer installation staff in evaluating the effectiveness of computer center\nmanagement and operations, The audit guidelines refer to numerous directives, policies, and\nguidelines issued by the Office of Management and Budget and the National Institute of Standards\nand Technology and, by reference, to non-Federal standard-setting organizations such as the\nInformation Systems Control Foundation, the Institute of Internal Auditors Research Foundation, and\nthe American Institute of Certified Public Accountants. Further, the Office of Management and\nBudget and the National Institute of Standards and Technology, by reference, include and recognize\nnot only these non-Federal standard-setting organizations but also the British Standards Institute, as\nwell as: (1) periodicals such as the Auerbach Publishers newsletters and articles (EDP Audit and\nControl Newsletter), LAN Times, and Infosecurity News; (2) symposiums and conferences held by\nthe Institute of Electrical and Electronic Engineers Computer Society, the National Computer\nSecurity, and UNIX; and (3) individuals who are considered experts in information systems such as\nthe Inspector General for the U.S. House of Representatives. While guidelines and standards issued\n\n                                                   6\n\x0cby these organizations, publishers, and individuals may not have been issued as \xe2\x80\x9cofficial\nGovernmentwide policy,\xe2\x80\x9d they promulgate industrywide standards and are the bases for many\nGovernmental directives, policies, and guidelines issued that are related to information systems. In\naddition, many of the Federal Government policies, directives, and guidelines state that the\nrequirements therein are \xe2\x80\x9cminimum\xe2\x80\x9d requirements, which implies that additional requirements or\nstandards such as those defined by the information systems industry can and should be used.\n\nThe Bureau also questioned certain recommendations in terms of their consistency with Office of\nManagement and Budget policies, in particular, with policies of Circulars A-123 and A-l 30. In this\nregard, the Bureau said that we did not consider cost as an \xe2\x80\x9cimportant consideration\xe2\x80\x9d when\naddressing \xe2\x80\x9cadequate\xe2\x80\x9d computer security controls.\n\nRegarding the \xe2\x80\x9ccosts\xe2\x80\x9d of our recommendations, we are not responsible for performing cost-benefit\nanalyses of the computer controls needed for the Bureau\xe2\x80\x99s automated information systems. Rather,\nthe Bureau is responsible for conducting an adequate review of the risks and associated costs when\nit determines the controls needed in its computer systems, The auditors are responsible for\ndetermining whether the analyses were adequate for the circumstances. During our review, the\nBureau could not provide us with any such analyses of cost versus risk.\n\nWhile the Bureau stated that armed guard service was on-site at the Service Center 24 hours a day,\nwe did not see a guard on-site during normal duty hours at any time during our audit. We agree that\nthe security measures identified in the Bureau\xe2\x80\x99s response reduce the risk of physical damage to the\nFacility and thus to computers. However, our audit was not limited to reviewing only the physical\naccess to and the security of the Facility. It also included a review of physical access to computer\nhardware and software. As stated in our report, physical access to the computer rooms was not\ncontrolled or limited to only those personnel who required access to perform their day-to-day duties.\n\nAs required by the Departmental Manual (360 DM 5.3) please provide us with your written\ncomments to this report by June 3, 1997. The response should provide the information requested in\nAppendix 3,\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual reporting\nto the Congress on all audit reports issued, actions taken to implement audit recommendations, and\nidentification of each significant recommendation on which corrective action has not been taken.\n\nWe appreciate the assistance of Bureau Administrative Service Center personnel in the conduct of\nour audit.\n\n\n\n\n                                                  7\n\x0c                                                                                     APPENDIX 1\n                                                                                      Page 1 of 20\n\n\n    DETAILS OF WEAKNESSES AND RECOMMENDATIONS\n\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nA. Background Clearances\n\nCondition:    Critical contractor personnel, such as the RACF administrator and software\n              management personnel, did not have documented clearances.\n\nCriteria:     Office of Management and Budget Circular A-130, Appendix III, requires agencies\n              to establish and manage personnel security policies, standards, and procedures that\n              include requirements for screening individuals who: (1) participate in the design,\n              development, operation, or maintenance of sensitive applications or (2) have access\n              to sensitive data.\n\nCause:        While Federal employees are required to have background clearances, the Service\n              Center did not apply this requirement to contractors.\n\nEffect:       Without proper personnel screening, managers had limited knowledge of the\n              suitability of contractor personnel, from a security standpoint, for their respective\n              jobs. Without this assurance, the risk is increased for the Service Center\xe2\x80\x99s sensitive\n              systems to be compromised.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, require all contractor employees\nto have the proper background clearances.\n\n\n\n\n                                                8\n\x0c                                                                                   APPENDIX 1\n                                                                                    Page 2 of 20\n\n\nLAN PROTECTION\n\nB. LAN Monitoring\n\nCondition:    Four file servers at the Service Center had minimal lockout settings. For example,\n              current lockout procedures provide for only a 15-minute lockout after three or four\n              unsuccessful log-in attempts. We believe that these lockout settings would not\n              adequately identify unauthorized access. The NetWare operating system software\n              supports an \xe2\x80\x9cintruder detection/lockout feature,\xe2\x80\x9d which aids in the prevention of\n              unauthorized access to the system. The system will suspend a user account when a\n              predefined number of unsuccessful access attempts occurs in a predetermined amount\n              of time. The time that an account is suspended may also be defined.\n\nCriteria:     The Privacy Act of 1974 and the Computer Security Act of 1987 require\n              implementation of minimally acceptable security practices for improving the security\n              and privacy of sensitive information in Federal computer systems. Office of\n              Management and Budget Circular A-l 30 requires agencies to establish controls to\n              ensure adequate security for all information processed, transmitted, or stored in\n              Federal automated information systems. Also, the Circular requires agencies to\n              ensure that appropriate safeguards exist in general support systems (for example,\n              LANs and the data processing center, including the operating system and utilities).\n              In addition, industry standards recommend a lockout period of 7 days.\n\nCause:        Service Center officials stated that the 15-minute lockout met the Bureau of\n              Reclamation\xe2\x80\x99s LAN standards. However, the Bureau\xe2\x80\x99s LAN implementation\n              guidelines recognize that the minimum settings for intruder lockout parameters may\n              be unacceptable to many offices. We believe, given the sensitivity of data at the\n              Service Center, that minimum settings are unacceptable to ensure protection from\n              unauthorized access to sensitive data.\n\nEffect:       The minimum level of security set for the LAN increases the risk that unauthorized\n              access to the Service Center\xe2\x80\x99s LAN resources will not be detected timely.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, enhance the intruder detection\nsettings above the Bureau of Reclamation\xe2\x80\x99s policy to suspend a user account, after unsuccessful\naccess attempts, for a period of time long enough to ensure that the user will have to contact an\nadministrator to have the user ID reset. For example, the user ID could be suspended for 24 hours\nafter three incorrect attempts occurred in a 24-hour period.\n\n                                                9\n\x0c                                                                                       APPENDIX 1\n                                                                                        Page 3 of 20\n\n\nLAN PROTECTION\n\nC. LAN Disaster Recovery Plan\n\nCondition:    The Service Center did not have a documented disaster recovery plan for its LAN.\n              This weakness was identified in a March 1994 Office of Inspector General audit\n\n              risk analysis (the first step in developing a disaster recovery plan) on its LAN.\n\nCriteria:     Office of Management and Budget Circular A- 130, Appendix III, requires agencies\n              to establish controls to ensure adequate security for all information processed,\n              transmitted, or stored in Federal automated information systems. Specifically,\n              agencies should establish a contingency plan and periodically test the capability of the\n              plan to perform the function in the event that its automated systems fail\n\nCause:        Because no risk analysis has been performed on the LAN, no disaster recovery plan\n              has been developed by the Service Center.\n\nEffect:       The lack of a disaster recovery plan increases the risk that offices will not be able to\n              resume processing on a timely basis after a disaster occurs.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, develop and periodically update a\ndisaster recovery plan for the LAN.\n\n\n\n\n                                                 10\n\x0c                                                                                     APPENDIX I\n                                                                                      Page 4 of 20\n\n\nLAN PROTECTION\n\nD. User Access Control\n\nCondition:   The security settings that provide access to the file servers were not controlled. We\n             identified weaknesses in the way user profiles had been established. In NetWare,\n             established user profiles superseded the file server default restrictions. As such, some\n             users had a required password change interval greater than 90 days, had concurrent\n             multiple or unlimited connections, and were not required to use unique passwords.\n\n             In addition, the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command was not used on any of the file\n             servers we reviewed. The \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command is designed to prevent\n             users from gaining access to the file server console by removing DOS from the system\n             memory when the operating system is powered down. Also, the \xe2\x80\x9cSET ALLOW\n             UNENCRYPTED PASSWORD = ON\xe2\x80\x9d was found on two of the file servers\n             reviewed. This designation allows passwords to be UNENCRYPTED, thereby\n             increasing the risk for passwords to be obtained and used by unauthorized users.\n\nCriteria:    Office of Management and Budget Circular A- 130, Appendix III, requires agencies\n             to establish controls to ensure adequate security for all information processed,\n             transmitted, or stored in Federal automated information systems, It also requires\n             agencies to implement and maintain a program to ensure that adequate security is\n             provided for all agency information collected, processed, transmitted, stored, or\n             disseminated in general support systems and major applications. The Circular mrther\n             defines \xe2\x80\x9cadequate security\xe2\x80\x9d as \xe2\x80\x9csecurity commensurate with the risk and magnitude\n             of harm resulting from the loss, misuse, or unauthorized access to or modification of\n             information.\xe2\x80\x9d\n\nCause:       Service Center procedures were not followed or were not in place to ensure that\n             controls were adequate to safeguard the LANs.\n\nEffect:      The minimum security settings for the Service Center\xe2\x80\x99s LAN increase the risk for\n             unauthorized access to network systems, which could result in the loss of data and\n             in unauthorized individuals gaining access to sensitive data files through DOS by\n             bringing down the file server.\n\n\n\n\n                                                11\n\x0c                                                                                     APPENDIX 1\n                                                                                      Page 5 of 20\n\n\nLAN PROTECTION\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Ensure that LAN security and password features are implemented, which will require all users\nto change passwords every 90 days, enforce unique password use, and limit concurrent multiple or\nunlimited connections to one per user and grant additional connections on an as-needed basis.\n\n     2. Include the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command in the AUTOEXEC.NCF file on all file servers\nto prevent users from gaining access to the system files in DOS mode.\n\n    3. Ensure that the command \xe2\x80\x9cSET ALLOW UNENCRYPTED PASSWORD=ON\xe2\x80\x9d is not\n\n\n\n\n                                                 12\n\x0c                                                                                        APPENDIX 1\n                                                                                         Page 6 of 20\n\n\nFFS APPLICATION\n\nE. Access Security Controls\n\nCondition:     FFS security access controls were not adequate. We identified 15 users, who were\n               Service Center employees, who could update and modify the application vendor table\n               of one of the Service Center\xe2\x80\x99s clients, as well as initiate disbursement documents.\n               This access could result in the vendor table being changed and in an unauthorized\n               disbursing document being entered.\n\nCriteria:      Office of Management and Budget Circular A-130, Appendix III, requires that\n               security controls for personnel include such controls as individual accountability,\n               \xe2\x80\x9cleast privileged,\xe2\x80\x9d and separation of duties. \xe2\x80\x9cLeast privileged\xe2\x80\x9d is the practice of\n               restricting users\xe2\x80\x99 access (to data files, to processing capability, or to peripherals) or\n               type of access (read, write, execute, or delete) to the minimum necessary for the users\n               to perform their jobs. Separation of duties is the practice of dividing the steps in a\n               critical function among different individuals.\n\nCause:          Although the Service Center provided payment services to its client, the Service\n                Center had not ensured that security controls in the FFS application prevented\n                unauthorized payments. Service Center officials stated that the client was responsible\n                for establishing the application security.\n\nEffect:         Without the applicable security access controls, the risk is increased for unauthorized\n                payments to be disbursed.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, coordinate with the client to limit\nService Center users\xe2\x80\x99 access to the \xe2\x80\x9cleast privileged\xe2\x80\x9d in the FFS application; that is, assurance should\nbe provided that any user authorized to enter or change the vendor table does not also have access\nto disbursing documents.\n\n\n\n\n                                                   13\n\x0c                                                                                     APPENDIX 1\n                                                                                      Page 7 of 20\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nF. Physical Security\n\nCondition:   Although access to the Service Center facilities was controlled, the Service Center\n             could not identify all individuals who had card key access to the computer rooms,\n             which house the mainframe and LAN. In addition, some Service Center visitors (for\n             example, maintenance personnel, janitorial staff, and vendors) were not monitored\n             when they were inside the computer room.\n\nCriteria:    The Department of the Interior Automated Information System Handbook, when\n             addressing the control for personnel access to computer facilities, states, \xe2\x80\x9cAccess by\n             visitors, equipment personnel, and other individuals not directly involved with\n             managing or operating a sensitive automated information system installation will be\n             controlled by individual authorization.\xe2\x80\x9d The Handbook further states that it is\n             recognized that different procedures and restrictions will be required for various\n             categories of visitors but that all access by other than assigned personnel will be\n             monitored.\n\nCause:       The Service Center\xe2\x80\x99s informal procedures provided for vendors, as well as for the\n             building management company, to be issued card keys to these sensitive areas without\n             identifying the individuals receiving the cards and without requiring formal access\n             request forms. Also, current practices allow certain visitors to be unmonitored when\n             they are in the sensitive areas,\n\nEffect:      The Service Center cannot specifically identify all those individuals who have access\n             to and/or are accessing the computer rooms. Furthermore, by not monitoring all\n             visitors, the risk is increased for the Service Center\xe2\x80\x99s sensitive data and resources to\n             be stolen or destroyed.\n\n\n\n\n                                                14\n\x0c                                                                                      APPENDIX 1\n                                                                                       Page 8 of 20\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n      1. Document procedures for the issuance of key cards and require that the procedures be\ninstituted for vendors in addition to contractors and Federal employees.\n\n     2. Evaluate the need for individuals outside of the ADP Services Division to be issued permanent\ncard keys because such access should be limited to those individuals performing their day-to-day\nduties.\n\n     3, Document procedures to ensure the Service Center\xe2\x80\x99s compliance with the Department of the\nInterior Automated Information Systems Handbook regarding visitor (such as maintenance\npersonnel, janitorial staff, and vendors) monitoring.\n\n\n\n\n                                                 15\n\x0c                                                                                      APPENDIX 1\n                                                                                       Page 9 of 20\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\n\n\nCondition:     In RACF, general client user passwords for access to the mainframe were not\n               prompted for change until after 180 days, and user ID codes were not automatically\n               revoked until 180 days of inactivity.\n\nCriteria:      The Department of the Interior Automated Information Systems Security Handbook\n               recommends that passwords be changed every 90 days. Also, generally accepted\n               industry standards indicate that password change intervals should be from 60 to 90\n               days for users who do not have sensitive privileges and every 30 days for users who\n               do have sensitive privileges because passwords may be guessed, copied, overheard,\n               or recorded and played back.\n\nCause:         To make access to the mainframe applications more convenient for Service Center\n               clients who use the mainframe applications only occasionally, notably the SF-52\n               System users, the Service Center increased the password interval to 180 days in 1994\n               after receiving approval from the Bureau of Reclamation\xe2\x80\x99s Security Administrator.\n               However, this approval recommended that the Service Center change the password\n               parameters, such as requiring a numeric or special character as part of the password,\n               set in RACF security software. Service Center officials stated that the 180-day\n               interval was acceptable because of security available within the mainframe\n               applications. However, not all of the mainframe applications have access security.\n\nEffect:        The current password settings reduce the effectiveness of the password as a control,\n               thereby increasing the risk for unauthorized access to sensitive information through\n               password disclosure.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Evaluate the feasibility of setting the parameters in RACF security software to require one\nnumeric or special character as part of the password, as recommended by the Bureau of\nReclamation\xe2\x80\x99s Security Administrator.\n\n      2. Reevaluate the standard RACF password change intervals and revocation settings to ensure\nthat the level of risk associated with the mainframe applications and the current password settings is\n\n\n\n                                                  16\n\x0c                                                                                   APPENDIX 1\n                                                                                   Page 10 of 20\n\n\nacceptable to the Service Center, as well as to its clients and the Department, and address these\nresults in a current risk assessment.\n\n\n\n\n                                               17\n\x0c                                                                                   APPENDIX 1\n\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nH. SMF Logs\n\nCondition:   At least 27 Service Center user ID codes that were allowed access to the TSO\n             software had \xe2\x80\x9calter\xe2\x80\x9d access to the \xe2\x80\x9cSYSl .MAN%\xe2\x80\x9d dataset. The SYSl.MAN%\n             dataset contains the SMF logs that record all system activity, thereby providing a\n             system audit trail. In addition, a critical SMF record type, record type 60, was not\n             active.\n\nCriteria:    Office of Management and Budget Circular A-130 recommends that adequate audit\n             trails exist so that an adverse impact on general support systems is prevented or\n             detected. Also, Federal Information Processing Publication 41, \xe2\x80\x9cComputer Security\n             Guidelines for Implementing the Privacy Act of 1974,\xe2\x80\x9d provides guidelines for system\n             security and addresses the importance of having audit trails of all system activity.\n\nCause:       The Service Center had insufficient policies and procedures surrounding the\n             protection of the SYS1.MAN% datasets. Also, SMF record type 60 was not active\n             because Service Center officials said that they believed another software product\n             INFOPAC (report generation software) created too many records. They said,\n             therefore, that to reduce the amount of storage needed for SMF logs, record type 60\n             was not activated.\n\nEffect:      By allowing users \xe2\x80\x9calter\xe2\x80\x9d access to these logs, the risk is increased for the SMF logs\n             to be inaccurate. Furthermore, because record type 60 is not active, no system audit\n             trail exists to determine whether the changes to sensitive datasets by authorized\n             individuals are appropriate. Specifically, because the PAY/PERS application has no\n             internal security to monitor access and changes to its datasets, the Service Center\n             relies only on RACF security. The active SMF record types identified only security\n             violations and did not record changes made to datasets. Therefore, in the PAY/PERS\n             application, there was no system audit trail available to monitor and evaluate changes\n             made to PAY/PERS sensitive data.\n\n\n\n\n                                               18\n\x0c                                                                                    APPENDIX 1\n                                                                                    Page 12 of 20\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center :\n\n     1. Evaluate the feasibility of limiting the number of Service Center users who have access\nauthority to alter SMF logs.\n\n     2. Ensure that the SMF record type 60 logging is active or RACF settings are adjusted to\nspecifically audit critical datasets maintained on the mainframe computers and to therefore provide\nan audit trail of system activity.\n\n\n\n\n                                                 19\n\x0c                                                                                    APPENDIX 1\n                                                                                    Page 13 of 20\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nI.   \xe2\x80\x9cOPERATIONS\xe2\x80\x9d Attribute\n\nCondition:   The Service Center gave access to all of the operating system resources by assigning\n             the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute to 85 active Service Center user IDS without logging\n             the activities of these users. Through this access, users could make unauthorized\n             changes to the mainframe computer operating system and sensitive application\n             datasets without being detected by routine security controls.\n\nCriteria:    The RACF Auditor\xe2\x80\x99s Guide states that \xe2\x80\x9cthe OPERATIONS attribute allows a user\n             access to almost all resources\xe2\x80\x9d and that the \xe2\x80\x9cgroup-OPERATIONS attribute allows\n             a user access to almost all resources within the scope of the group and its subgroups.\xe2\x80\x9d\n             The \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute, with some exceptions, provides the user with full\n             control over datasets. Further, the RACF Security Administrator\xe2\x80\x99s Guide\n             recommends that the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute be assigned to a minimum number\n             of people and that the activities of the users be logged. RACF allows the use of more\n             restrictive authorities, such as DASDVOL authority, when routine maintenance\n             operations are performed. RACF security software also provides the option to log\n             activities of users with the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute by activating the OPERAUDIT\n             option.\n\nCause:       The Service Center had not assigned more restrictive authorities to individuals who\n             performed routine system maintenance tasks because the Service Center had not\n             evaluated the system access authority needed for individual users in performing their\n             day-to-day functions. Also, the Service Center had not implemented the\n             OPERAUDIT security feature in RACF that would log user activities as a result of\n             the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute.\n\nEffect:      Because the OPERAUDIT security feature had not been activated, any resource on\n             the mainframe computer could be accessed using the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute\n             without recording the user\xe2\x80\x99s access. This setting, along with the lack of system audit\n             trails that would be produced by the SMF 60 record type, increases the risk for\n             intentional or accidental unauthorized system actions to occur and not be detected.\n\n\n\n\n                                               20\n\x0c                                                                                 APPENDIX 1\n                                                                                 Page 14 of 20\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate the extent to which the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute should be available to Service\nCenter user IDS. Specifically, the use of other more restrictive RACF authorities (such as\nDASDVOL authority) should be considered where possible.\n\n     2. Activate the security feature RACF OPERAUDIT and ensure that security personnel perform\nperiodic reviews of the resultant logs to identify unauthorized activity.\n\n\n\n\n                                              21\n\x0c                                                                                           APPENDIX I\n                                                                                           Page 15 of 20\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nJ. ADP Access Levels\n\nCondition:      Users in the Service Center\xe2\x80\x99s ADP Services Division had significant access levels.\n                For example, 28 user IDS had RACF authority to emulate the master console, even\n                though the authority to issue operator commands through the TSO was not given to\n                these individuals. In addition, 28 user IDS had \xe2\x80\x9calter\xe2\x80\x9d access to the system parameter\n                libraries (for example, the SYSl .PARMLIB) through the TSO.\n\nCriteria:       Office of Management and Budget Circular A-130 requires, at a minimum, that\n                agency programs incorporate controls such as \xe2\x80\x9cseparation of duties, least privileged,\n                and individual accountability\xe2\x80\x9d within their major applications.\n\nCause:          Because of other Service Center priorities, the group responsible for monitoring\n                security had not performed an audit of user access levels and therefore had not\n                identified the required necessary changes and had not ensured that user access was at\n                the authorized level. In addition, the ADP Services Division had not implemented\n                procedures to ensure that \xe2\x80\x9cleast privileged\xe2\x80\x9d access controls and appropriate separation\n                of duties were in place.\n\nEffect:         By allowing significant access levels to critical functions, the risk is increased for\n                datasets to be altered without authorization and for the alteration to go undetected\n                by normal operating controls. Without periodic review of user access levels, the risk\n                is increased that the access given to a user will exceed that which is necessary to\n                perform the user\xe2\x80\x99s daily job.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Ensure that the group responsible for monitoring security performs periodic reviews of user\naccess levels to identity required necessary changes and to ensure that user access levels are\nauthorized.\n\n      2. Institute a policy of \xe2\x80\x9cleast privileged\xe2\x80\x9d access levels to ensure that access to resources and data\nis limited to those users who require such access.\n\n\n\n\n                                                    22\n\x0c                                                                                        APPENDIX 1\n                                                                                        Page 16 of 20\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nK. RACF Software Internal Controls\n\nCondition:    Responsibilities of the RACF security administrator (assigned the SPECIAL attribute\n              within RACF) had been combined with the responsibilities of the RACF auditor\n              (assigned the AUDITOR attribute within RACF). In addition, seven user IDS within\n              the Service Center had these combined attributes. This weakness was previously\n              identified in a March 1994 Office of Inspector General audit report (No. 94-I-357).\n\nCriteria:     The RACF Auditor\xe2\x80\x99s Guide addresses the importance of the separation of duties\n              between the security administrator and the auditor. The Guide states, \xe2\x80\x9cThe separation\n              of powers is necessary because it is the security administrator\xe2\x80\x99s job to establish RACF\n              controls, and it is the auditor\xe2\x80\x99s function to test the adequacy and effectiveness of these\n              controls. \xe2\x80\x9d\n\nCause:        Service Center officials stated that RACF security administrator and RACF auditor\n              functions were performed by the same individual because of the limited number of\n              staff assigned to the group responsible for monitoring security. They further stated\n              that the Service Center had a limited number of individuals who had expertise in the\n              area of RACF administration,\n\nEffect:        The control over the RACF security administrator function is lost because there was\n               no systematic monitoring of this powerful function. Therefore, the risk exists for\n               accidental or intentional unauthorized actions that could disrupt information system\n               operations and threaten the integrity of the sensitive information.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, evaluate the staffing requirements\nof the group responsible for monitoring security to ensure the separation of duties within RACF.\n\n\n\n\n                                                 23\n\x0c                                                                                      APPENDIX 1\n                                                                                      Page 17 of 20\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\n\n\nCondition:     Mainframe access given to users as assigned in RACF was not always supported by\n               a formal request or was not recorded in the Service Center\xe2\x80\x99s Decentralized Security\n               Administration Facility.\n\nCriteria:      The Service Center\xe2\x80\x99s policy is for formal authorization requests to be obtained from\n               the designated security point of contact before users are permitted to access sensitive\n               data on the mainframe computer. In addition, the point of contact can orally notify\n               the Service Center for adjustments to the users\xe2\x80\x99 access requirements. Also, generally\n               accepted industry standards recommend that reconciliations exist between what has\n               been formally requested and what access level was actually granted to ensure that\n               mishandling, alterations, and misunderstandings are reduced.\n\nCause:         Orally requested access level adjustments that were approved were not always\n               recorded in the access request system because the Service Center did not always\n               enforce the procedures to record approved access level adjustments.\n\nEffect:        By not updating Decentralized Security Administration Facility records for\n               adjustments to accesses requested, the system administrator cannot reconcile the\n               formal authorization and the Decentralized Security Administration Facility records\n               with the RACF access levels assigned to users and thus ensure that access is assigned\n               at the appropriate level.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, document and implement\nprocedures to ensure that Decentralized Security Administration Facility records are updated for oral\naccess adjustments to allow for the reconciliation of access requested with access allowed.\n\n\n\n\n                                                 24\n\x0c                                                                                        APPENDIX 1\n                                                                                        Page 18 of 20\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nM. Computer Security Plan/Report\n\nCondition:     The Service Center had not developed a security plan for fiscal year 1996\n\nCriteria:     The Computer Security Act of 1987 requires that all agencies improve the security\n              and privacy of sensitive information in Federal computer systems. Specifically, the\n              Act requires that security plans be developed for all sensitive computer systems. A\n              computer security plan is designed to assist agencies in addressing the protection of\n              general support systems and major applications that contain sensitive information to\n              help ensure the system\xe2\x80\x99s integrity, availability, and confidentiality. In addition, Office\n              of Management and Budget Circular A-130, Appendix III, states that agencies\n              without adequate security plans should consider classifying this as a material\n              weakness in their annual Federal Managers\xe2\x80\x99 Financial Integrity Act report to the\n              Congress.\n\nCause:         A computer security plan was not prepared for fiscal year 1996 because of limited\n               staffing in the group responsible for monitoring security.\n\nEffect:       Without this plan, the Service Center did not have adequate assurance that data in its\n              sensitive systems were adequately protected. In addition, the Service Center had a\n              material weakness, which should be reported in its annual Federal Managers\xe2\x80\x99 Financial\n              Integrity Act report to the Congress.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, provide resources to ensure the\ndevelopment of a computer security plan for the sensitive systems in accordance with the Computer\nSecurity Act and Circular A-130, Appendix III.\n\n\n\n\n                                                 25\n\x0c                                                                                        APPENDIX 1\n                                                                                        Page 19 of 20\n\n\n\nCONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY\n\nN. Continuity of Operations Plan\n\nCondition:     The Service Center\xe2\x80\x99s Continuity of Operations Plan (dated December 28,1995) did\n               not address recovery of one of the sensitive systems, the FFS; the LAN; and critical\n               telecommunications links. Also, the Plan had not been updated to reflect all tests of\n               the Plan completed in 1996. Additionally, the risk analysis, upon which the Plan is to\n               be based, had not been updated since July 1990.\n\nCriteria:      Office of Management and Budget Circular A- 130 requires agencies to establish a\n               comprehensive contingency plan and periodically test the capability to perform the\n               agency function supported by the application, as well as critical telecommunications\n               links, in the event of a disaster or system failure. In order to accurately and\n               successfully test the disaster recovery capabilities, the disaster recovery plans need to\n               be updated as changes occur. In addition, the Circular states that \xe2\x80\x9cmanual procedures\n               are generally NOT [emphasis in original] a viable back-up option.\xe2\x80\x9d\n\nCause:         Service Center officials said that update of the risk analysis and continuity of\n               operations plan had low priorities. In addition, Service Center officials stated that the\n               FFS application was not included in the Plan as a result of Service Center clients\n               agreeing that FFS services could be delayed for 30 days because processing could be\n               performed manually. However, we found no documentation of such agreements.\n\nEffect:        If the Continuity of Operations Plan is incorrect (such as by not including all sensitive\n               systems) or is outdated, personnel required to perform the disaster recovery\n               procedures may not be able to recover critical systems in the event of a disaster or\n               system failure.\n\nRecommendations:\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Perform a risk analysis of the Service Center\xe2\x80\x99s computer center and its applications.\n\n    2. Update the existing Continuity of Operations Plan for the mainframe, sensitive applications,\nand telecommunications links so that the current operating environment is documented.\n\n\n\n\n                                                  26\n\x0c                                                                                     APPENDIX 1\n                                                                                     Page 20 of 20\n\n\n\nCONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY\n\n\n\nCondition:    No comprehensive business recovery plan had been developed for the Service Center.\n              The only plan in existence at the Service Center was the Continuity of Operations\n              Plan, which addressed only the recovery of the systems environment. The Plan did\n              not address business and user operations that need to be in effect for the Service\n              Center to support its clients in the event of a disaster or system failure.\n\nCriteria:     Of&e of Management and Budget Circular A-l 30 requires agencies to establish\n              controls to ensure adequate security for all information processed, transmitted, or\n              stored in Federal automated information systems. In addition, generally accepted\n              information systems standards recognize that a comprehensive business recovery plan\n              is necessary to ensure the timely recovery of all business functions and of the systems\n              environment, both of which are critical for day-to-day operations, and to minimize\n              down time.\n\nCause:        The Service Center\xe2\x80\x99s emphasis was on the restoration of the mainframe environment\n              rather than on the recovery of business operations.\n\nEffect:       If a disaster or system failure occurs, the Service Center may not be able to recover\n              all business functions and systems necessary for the continued long-term operations\n              of the organization.\n\nRecommendation:\n\nWe recommend that the Director, Administrative Service Center, develop a comprehensive business\nrecovery plan, which includes procedures for its business functions.\n\n\n\n\n                                                27\n\x0c                                                                                       APPENDIX 2\n                                                                                        Page 1 of 26\n                   United States Department of the Interior\n                                     BUREAU OF RECLAMATION\n                                          Washington. D.C. 20240\n\nIS REPLYREFERTO\n\n\n\n   D-5010\n   ADM-8.00\n\n\n                                           MEMORANDUM\n\n   To:            Office of Inspector General\n                   Attention: Acting Assistant Inspector\n                                                  - General for Audits\n   From:\n\n\n   Subject:       Draft Audit Report on Mainframe Computer Policies and Procedures\n\n\n   The Bureau of Reclamation appreciates the opportunity to comment on the subject report.\n   Reclamation concurs or has complied with 23 of the 24 of the audit recommendations and we\n   fully recognize the importance of computer security and that our policies and procedures can be\n   improved. However, we believe the Administrative Service Center (ASC) has in place an\n   adequate security program and are concerned with certain aspects of the report as outlined below.\n\n   The report identified physical security as a weakness, We believe extensive physical security\n   measures are in place at the ASC. The computer and related hardware (such as mainframe\n   computer, direct access storage devices, tape devices, telecommunications equipment, large\n   volume printers, etc.) are located in a locked computer room controlled for authorized access\n   only. In addition, the computer room is located in a secure building where all outside doors are\n   locked and require an individual access card for authorized entry. ASC security also includes on-\n   site armed guard service 24 hours a day, 7 days a week. Following the Oklahoma City bombing,\n   the Justice Department was directed by the President to conduct a Vulnerability Assessment of\n   Federal Facilities. This assessment recognized five levels of security for Federal facilities based\n   upon perceived threat and established security standards for each of the live levels. Based on this\n   criteria, the ASC was deemed a Level III facility. The GSA participated in a review of ASC\n   security and concluded the ASC exceeded Level III security requirements.\n\n   The audit report identified areas to reduce security risks and recommended specific actions to\n   reduce those risks. Both OMB Circulars A-123 and A-130 recognize cost as an important\n   consideration and require that agencies implement cost effective management and internal\n   controls. For instance, OMB Circular A-130 recognizes both risk and cost in addressing\n   \xe2\x80\x9cadequate security.\xe2\x80\x9d Yet, discussions with the auditors confirmed that cost was not considered in\n   recommending these specific actions to reduce risk.\n\n\n\n\n                                                  28\n\x0c                                                                                    APPENDIX 2\n                                                                                     Page 2 of 26\n\n\n                                                                                                     2\n\nThe audit report referred to \xe2\x80\x9cgenerally accepted industry and information systems standards\xe2\x80\x9d and\nreported the ASC as noncompliant in several instances. Discussions with the auditors confirmed\nthat a conclusive set of these \xe2\x80\x9cstandards\xe2\x80\x9d was not available and the auditors were not aware as to\nwhether these \xe2\x80\x9cstandards\xe2\x80\x9d had ever been issued as official Government-wide policy. The\nDepartment of the Interior\xe2\x80\x99s Office of Information Resources Management likewise advised that\nthey were unaware of these \xe2\x80\x9cstandards\xe2\x80\x9d and their applicability to Interior organizations.\n\nAgain, we appreciate the opportunity to comment on the subject report. Attached are our specific\ncomments for each recommendation. If you have any questions or require additional information,\nplease contact Luis Maez at (303) 236-3289, extension 245.\n\n\n\n\nAttachment\n\ncc:    Assistant Secretary - Water and Science, Attention: Margaret Carpenter\n                 (w/attachment)\n\n\n\n\n                                                29\n\x0c                                                                                    APPENDIX 2\n                                                                                     Page 3 of 26\n\n\n\n\nCOMPUTER CENTER MANAGEMENT AND OPERATIONS\n\nA. Background Clearances\n\nCondition:    Critical contractor personnel, such as the RACF administrator and software\n              management personnel, did not have documented clearances.\n\nCriteria:\n              to establish and manage personnel security policies, standards, and procedures that\n              include requirements for screening individuals who: (1) participate in the design,\n              development, operation, or maintenance of sensitive applications or (2) have access\n              to sensitive data.\n\nCause:        While Federal employees are required to have background clearances, the Service\n              Center did not apply this requirement to contractors.\n\nEffect:       Without proper personnel screening, managers had limited knowledge of the\n              suitability of contractor personnel, from a security standpoint, for their respective\n              jobs. Without this assurance, the risk is increased for the Service Center\xe2\x80\x99s sensitive\n              systems to be compromised.\n\nRecommendation\n\nWe recommend that the Director, Administrative Service Center, require all contractor employees\nto have the proper background clearances.\n\n              Response\n\n              Complied. All ADP contractor employees, including RACF administrators and\n              systems software management personnel, are required to have background clearances.\n              The Statement of Work for the GSA T&Part Contract (which ADP Services Division\n              uses) contained a Level 3, critical-sensitive requirement, but this provision was not\n              previously enforced. Also, at our request, the Colorado Bureau of Investigation has\n              completed background investigations on all ADP contractor personnel. This is also\n              a continuing requirement for all new-hire contractor personnel.\n\n\n\n\n                                              30\n\x0c                                                                                  APPENDIX 2\n                                                                                   Page 4 of 26\n\n\nLAN PROTECTION\n\nB. LAN Monitoring\n\nCondition:    Four file servers at the Service Center had minimal lockout settings. For example,\n              current lockout procedures provide for only a I5-minute lockout after three or four\n              unsuccessful log-in attempts We believe that these lockout settings would not\n              adequately identify unauthorized access. The NetWare operating system software\n              supports an \xe2\x80\x9cintruder detection/lockout feature,\xe2\x80\x9d which aids in the prevention of\n              unauthorized access to the system. The system will suspend a user account when a\n              predefined number ofunsuccessM access attempts occurs in a predetermined amount\n              of time. The time that an account is suspended may also be defined.\n\nCriteria:     The Privacy Act of 1974 and the Computer Security Act of 1987 require\n              implementation of minimally acceptable security practices for improving the security\n              and privacy of sensitive information in Federal computer systems. Office of\n              Management and Budget Circular A-130 requires agencies to establish controls to\n              ensure adequate security for all information processed, transmitted, or stored in\n              Federal automated information systems. Also, the Circular requires agencies to\n              ensure that appropriate safeguards exist in general support systems (for example,\n              LANs and the data processing center, including the operating system and utilities).\n              In addition, industry standards recommend a lockout period of 7 days.\n\nCause:\n              Reclamation\xe2\x80\x99s LAN standards. IIowever, the Bureau\xe2\x80\x99s LAN implementation\n              guidelines recognize that the minimum settings for intruder lockout parameters may\n              be unacceptable to many offices. We believe, given the sensitivity of data at the\n              Service Center, that minimum settings are unacceptable to ensure protection from\n              unauthorized access to sensitive data.\n\nEffect:       The minimum level of security set for the LAN increases the risk that unauthorized\n              access to the Service Center\xe2\x80\x99s LAN resources will not be detected timely.\n\n\nRecommendation\n\nWe recommend that the Director, Administrative Service Center, enhance the intruder detection\nsettings above the Bureau of Reclamation\xe2\x80\x99s policy to suspend a user account, after unsuccessful\naccess attempts, for a period of time long enough to ensure that the user will have to contact an\nadministrator to have the user ID reset. For example, the user ID could be suspended for 24 hours\nafter three incorrect attempts occurred in a 24-hour period.\n\n\n\n\n                                                  2\n\n\n                                             31\n\x0c                                                                        APPENDIX 2\n                                                                         Page 5 of 26\n\nLAN PROTECTION\n\n       Response\n\n       Concur with intent. Although lockout settings already meet Reclamation LAN\n       standards, we are willing to consider additional security enhancements as deemed\n       appropriate. An evaluation will be made to determine if the settings should be\n       changed. This evaluation is scheduled to be completed by June 30, 1997. The\n       responsible official is the Chief, ADP Services Division.\n\n\n\n\n                                       3\n\n\n                                     32\n\x0c                                                                                      APPENDIX 2\n                                                                                       Page 6 of 26\n\n\n\nLAN PROTECTION\n\nC. LAN Disaster Recovery Plan\n\nCondition:    The Service Center did not have a documented disaster recovery plan for its LAN.\n              This weakness was identified in a March 1994 Office of Inspector General audit\n\n              risk analysis (the first step in developing a disaster recovery plan) on its LAN.\n\nCriteria:     Office of Management and Budget Circular A-130, Appendix III, requires agencies\n              to establish controls to ensure adequate security for all information processed,\n              transmitted, or stored in Federal automated information systems. Specifically,\n              agencies should establish a contingency plan and periodically test the capability of the\n              plan to perform the f?mction in the event that its automated systems fail.\n\nCause:        Because no risk analysis has been performed on the LAN, no disaster recovery plan\n             -has been developed by the Service Center.\n\nEffect:       The lack of a disaster recovery plan increases the risk that offices will not be able to\n              resume processing on a timely basis after a disaster occurs.\n\nRecommendation\n\nWe recommend that the Director, Administrative Service Center, develop and periodicahy update a\ndisaster recovery plan for the LAN.\n                                                                                          .\xe2\x80\x98\n              Response\n\n              Concur. A risk analysis of the ASC LAN environment will be completed by\n              September 30, 1997. The risk analysis will provide the basis for development of a\n              LAN Disaster Recovery Plan which is targeted for completion by March 3 1, 1998.\n              The responsible official is the Chief, ADP Services Division.\n\n\n\n\n                                                 4\n\n\n                                               33\n\x0c                                                                                    APPENDIX 2\n                                                                                     Page 7 of 26\n\n\n\nLAN PROTECTION\n\nD. User Access Control\n\nCondition:   The security settings that provide access to the file servers were not controlled. We\n             identified weaknesses in the way user profiles had been established. In NetWare,\n             established user profiles superseded the ftle server default restrictions. As such, some\n             users had a required password change interval greater than 90 days, had concurrent\n             multiple or unlimited connections, and were not required to use unique passwords.\n\n             In addition, the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command was not used on any of the file\n             servers we reviewed. The \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command is designed to prevent\n             users from gaining access to the file server console by removing DOS from the system\n             memory when the operating system is powered down. Also, the \xe2\x80\x9cSET ALLOW\n             UNENCRYPTED PASSWORD = ON\xe2\x80\x9d was found on two of the file servers\n             reviewed. This designation allows passwords to be UNENCRYPTED, thereby\n             increasing the risk for passwords to be obtained and used by unauthorized users.\n\nCriteria:    Office of Management and Budget Circular A- 130, Appendix III, requires agencies\n             to establish controls to ensure adequate security for all information processed,\n             transmitted, or stored in Federal automated information systems. It also requires\n             agencies to implement and maintain a program to ensure that adequate security is\n             provided for all agency information collected, processed, transmitted, stored, or\n             disseminated in general support systems and major applications. The Circular further\n             defines \xe2\x80\x9cadequate security\xe2\x80\x9d as \xe2\x80\x9csecurity commensurate with the risk and magnitude\n             of harm resulting from the loss, misuse, or unauthorized access to or modification of\n             information. \xe2\x80\x9d\n\nCause:       Service Center procedures were not followed or were not in place to ensure that\n             controls were adequate to safeguard the LANs.\n\nEffect:      The minimum security settings for the Service Center\xe2\x80\x99s LAN increase the risk for\n             unauthorized access to network systems, which could result in the loss of data and\n             in unauthorized individuals gaining access to sensitive data files through DOS by\n             bringing down the file server.\n\n\n\n\n                                                5\n\n                                              34\n\x0c                                                                                    APPENDIX 2\n                                                                                     Page 8 of 26\n\n\nLAN PROTECTION\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Ensure that LAN security and password features are implemented, which will require all users\nto change passwords every 90 days; enforce unique password use; and limit concurrent multiple or\nunlimited connections to one per user and grant additional connections on an as-needed basis.\n\n\n               Response\n\n               Complied. The password change interval has been changed to 90 days or less on all\n               servers. Unique passwords are now required for all individual users. Concurrent\n               multiple connection authority has been removed from all accounts with the exception\n               of those where a demonstrated need. exists. Requests for multiple .concurrent\n               connections now require completion of an ASC-14 Computer Security Access\n               Request Form with appropriate supervisory authorization.\n\n     2. Include the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command in the AUTOEXEC.NCF file on all file servers\nto prevent users from gaining access to the system files in DOS mode.\n                                                                                      . \xe2\x80\x98,\n               Response\n\n               Complied. A procedure to secure the console on all ASC file servers was\n               implemented in August 1996. The \xe2\x80\x9cLOAD MONITOR\xe2\x80\x9d command with the \xe2\x80\x9clock\xe2\x80\x9d\n               option was included in the AUTOEXEC.NCF file in January 1997.\n\n     3. Ensure that the command \xe2\x80\x9cSET ALLOW UNENCRYPTED PASSWORD=ON\xe2\x80\x9d is not\npresent in the AUTOEXEC.NCF file.\n\n               Response\n\n               Concur. The \xe2\x80\x9cSET ALLOW UNENCRYPTED PASSWORD=ON\xe2\x80\x9d command cannot\n               be set at this time. Certain versions of the NETWARE \xe2\x80\x9cNETX\xe2\x80\x9d client requestor are\n               present on some ASC workstations that are not compliant with the encrypted\n               password feature. When the migration to Netware 4. lx NDS (Novell Directory\n               Services) is completed at the ASC and all client workstations have been migrated to\n               Netware VLMs, this command will be invoked on all file servers. Migration to NDS\n               will be completed as part of a Reclamation-wide effort. Although unencrypted\n               passwords are accepted at this time, the vast majority of passwords processed by ASC\n               file servers are currently encrypted. Target date for completion is March 3 1, 1998.\n               The responsible official is the Chief, ADP Services Division.\n\n\n                                                 6\n\n\n                                               35\n\x0c                                                                                       APPENDIX 2\n                                                                                        Page 9 of 26\n\n\n\nFFS APPLICATION                                                                       -\nE. Access Security Controls\n\nCondition:     FFS security access controls were not adequate. We identified 15 users. who were\n               Service Center employees. who could update and modify the application vendor table\n               of one of the Service Center\xe2\x80\x99s clients, as well as initiate disbursement documents.\n               This access could result in the vendor table being changed and in an unauthorized\n               disbursing document being entered.\n\nCriteria:      Office of Management and Budget Circular A-l30, Appendix III, requires that\n               security controls for personnel include such controls as individual accountability,\n               \xe2\x80\x9cleast privileged,\xe2\x80\x9d and separation of duties. \xe2\x80\x9cLeast privileged\xe2\x80\x9d is the practice of\n               restricting users\xe2\x80\x99 access (to data files, to processing capability, or to peripherals) or\n               type of access (read, write, execute, or delete) to the minimum necessary for the users\n               to perform their jobs. Separation of duties is the practice of dividing the steps in a\n               critical function among different individuals.\n\nCause:         Although the Service Center provided payment services to its client, the Service\n               Center had not ensured that security controls in the FFS application prevented\n               unauthorized payments.\n\nEffect:        Without the applicable security access controls, the risk is increased for unauthorized\n               payments to be disbursed.\n\n\nRecommendation\n\nWe recommend that the Director, Administrative Service Center. coordinate with the client to limit\nService Center users\xe2\x80\x99 access to the \xe2\x80\x9cleast privileged\xe2\x80\x9d in the FFS application; that is, assurance should\nbe provided that any user authorized to enter or change the vendor table does not also have access\nto disbursing documents.\n\n               Response\n\n               Complied. As requested by the ASC, the client has changed FFS security such that\n               no employees have access to both the vendor tables and disbursement fimction. It\n               should be noted that this condition was confined strictly to the transfer of a client\xe2\x80\x99s\n               administrative payments function and related employees to the ASC in May 1996.\n               The client is responsible for managing and controlling FFS access for this payments\n               function. In other words, the ASC cannot initiate or change FFS access for\n               employees performing this client\xe2\x80\x99s payments. Also, it should be noted that\n               discussions with the auditors confirmed that no unauthorized disbursements were\n               found.\n\n                                                     7\n\n\n                                                36\n\x0c                                                                                       APPENDIX 2\n                                                                                       Page 10 of 26\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nF. Physical Security\n\nCondition:     Although access to the Service Center facilities was controlled, the Service Center\n               could not identify all individuals who had card key access to the computer rooms,\n               which house the mainframe and LAN. In addition, some Service Center visitors (for\n               example, maintenance personnel, janitorial staff, and vendors) were not monitored\n               when they were inside the computer room.\n\nCriteria:      The Department of the Interior Automated Information System Handbook, when\n               addressing the control for personnel access to computer facilities, states, \xe2\x80\x9cAccess by\n               visitors, equipment personnel, and other individuals not directly involved with\n               managing or operating a sensitive automated information system installation will be\n               controlled by individual authorization.\xe2\x80\x9d The Handbook further states that it is\n               recognized that different procedures and restrictions will be required for various\n               categories of visitors but that all access by other than assigned personnel will be\n               monitored.\n\nCause:         The Service Center\xe2\x80\x99s informal procedures provided for vendors, as well as for the\n               building management company, to be issued card keys to these sensitive areas without\n               identifying the individuals receiving the cards and without requiring formal access\n               request forms. Also, current practices allow certain visitors to be unmonitored when\n               they are in the sensitive areas.\n\nEffect:        The Service Center cannot specifically identify all those individuals who have access\n               to and/or are accessing the computer rooms. Furthermore, by not monitoring all\n               visitors, the risk is increased for the Service Center\xe2\x80\x99s sensitive data and resources to\n               be stolen or destroyed.\n\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n\ninstituted for vendors in addition to contractors and Federal employees.\n\n               Response\n\n               Complied. Procedures for the issuance of card keys for vendors, contractors, and\n               Federal employees have been documented. As evidenced by this recommendation,and\n               Recommendation 3 (below), we believe this condition should have been more\n\n\n\n                                                  8\n\n\n                                                37\n\x0c                                                                                     APPENDIX 2\n                                                                                     Page 11 of 26\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\n               appropriately stated as a currency of documentation issue. Two levels of security\n               control must be passed before entry into the computer room. As concluded by GSA,\n               ASC\xe2\x80\x99s physical security exceeds security standards for a Level III Federal facility.\n               Although the ASC has always had a strong physical security emphasis and program\n               in place, it was recently enhanced with implementation of a picture identification card\n               system that is now compatible with the Bureau of Reclamation system for Building 67\n               at the Denver Federal Center.\n\n     2. Evaluate the need for individuals outside of the ADP Services Division to be issued permanent\ncard keys because such access should be limited to those individuals performing their day-to-day\nduties.\n\n               Response\n\n               Complied. The evaluation was completed by the ADP Services.Di4sion and the\n               Management Services Division in February 1997. Permanent card keys are issued to\n               just those individuals deemed appropriate.\n\n     3. Document procedures to ensure the Service Center\xe2\x80\x99s compliance with the Department of the\nInterior Automated Information Systems Handbook regarding visitor (such as maintenance\npersonnel, janitorial staff, and vendors) monitoring.                                   .:\n\n               Response\n\n               Complied. Procedures for monitoring visitor access to the computer room have been\n               documented by the Management Services Division in compliance with the Department\n               of the Interior\xe2\x80\x99s Automated Information Systems Handbook.\n\n\n\n\n                                                    9\n\n\n                                               38\n\x0c                                                                                    APPENDIX 2\n                                                                                    Page 12 of 26\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nG. Password Settings\n\nCondition:     In RACF, general client user passwords for access to the mainframe were not\n               prompted for change until after 180 days, and user ID codes were not automatically\n               revoked until 180 days of inactivity.\n\nCriteria:      The Department of the Interior Automated Information Systems Security Handbook\n               recommends that passwords be changed every 90 days. Also. generally accepted\n               industry standards indicate that password change intervals should be fi-om 60 to 90\n               days for users who do not have sensitive privileges and every 30 days for users who\n               do have sensitive privileges because passwords may be guessed. copied, overheard,\n               or recorded and played back.\n\nCause:         To make access to the mainframe applications more convenient for Service Center\n               clients who use the mainframe applications only occasionally, notably theSF=52\n               System users, the Service Center increased the password interval to 180 days in 1994\n               after receiving approval from the Bureau of Reclamation\xe2\x80\x99s Security Administrator.\n               However, this approval recommended that the Service Center change the password\n               parameters, such as requiring a numeric or special character as part of the password,\n               set in RACF security software. Service Center officials stated that the \xe2\x80\x98180-day\n               inrerval was acceptable because of security available within the mainframe\n               applications. However, not all of the mainframe applications have access security.\n\nEffect:        The current password settings reduce the effectiveness of the password as a control,\n               thereby increasing the risk for unauthorized access to sensitive information through\n               password disclosure.\n\n\nRecommendations\n\nWe recommend that the Director. Administrative Service Center:\n\n     1. Evaluate the feasibility of setting the parameters in RACF security software to require,one\nnumeric or special character as part of the password, as recommended by the Bureau of\nReclamation\xe2\x80\x99s Security Administrator.\n\n               Response\n\n               Concur. An evaluation of using one numeric or special character as part of the ASC\n               standard password will be completed by September 30, 1997. The responsible offtcial\n               is the Chief, ADP Services Division.\n\n\n\n                                                10\n\n\n                                               39\n\x0c                                                                                     APPENDIX 2\n                                                                                     Page 13 of 26\n\n\nMAINFRAME SYSTEM PHY-SICAL AND LOGICAL SECURITY\n\n      2. Reevaluate <he standard RACF password change intervals and revocation settmgs to ensure\nthat the level of risk associated with the mainframe applicattons and the current password settings is\nacceptable to the Service Center, as well as to its clients and the Department, and address these\nresults in a current risk assessment.\n\n               Response\n\n               Concur with intent. The ASC plans to recontirm the 180-day interval with clients and\n               the Department System Owner. This e8ot-t is targeted for completion September 30,\n               1997. The responsible offtcial is the Chief, ADP Services Division.\n\n               It should be noted, however, that the 180-day password interval exists for only one\n               application....the automated SF-52 System. The extended interval was requested by\n               clients primarily for infrequent users of the system and was coordinated with the\n               Department of the Interior System Owner and the Interior Depattment\xe2\x80\x99s Office of\n               Information Resource Management. In addition a waiver to use the 1 go-day interval\n               was obtained from the Bureau of Reclamation Computer Security Manager per the\n               procedures set forth in 375 DM 19. It should also be noted that while 1180 days is the\n               overall system maximum: the password expiration period for each user is set\n               individually by the client\xe2\x80\x99s Security Point-of-Contact based on their evaluation of the\n               risk associated with the user. The ASC has issued guidance to its clients\n               recommending that the expiration period of 180 days only be used for infrequent users\n               of the system whose access presents a low risk. Finally, the last two sentences of the\n               \xe2\x80\x9cCause:\xe2\x80\x9d refer to mainframe applications and whether or not they have access\n               security. Since the 180-day interval only relates to the automated SF-52 System\n               which does have access security, the two sentences are not relevant to this issue.\n\n\n\n\n                                                  11\n\n\n                                               40\n\x0c                                                                                   APPENDIX 2\n                                                                                   Page 14 of 26\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY                                                   \xe2\x80\x99\n\nH. SMF Logs\n\nCondition:   At least 27 Service Center user ID codes that were allowed access to the TSO\n             software had \xe2\x80\x9calter\xe2\x80\x9d access to the \xe2\x80\x9cSYSl.MAN%\xe2\x80\x9d dataset. The SYSl.MAN%\n             dataset contains the SMF logs that record all system activity. thereby providing a\n             system audit trail. In addition a critical SMF record type, record type 60, was not\n             active.\n\nCriteria:    Office of Management and Budget Circular A-130 recommends that adequate audit\n             trails exist so that an adverse impact on general support systems is prevented or\n             detected. Also, Federal Information Processing Publication 41, \xe2\x80\x9cComputer Security\n             Guidelines for Implementing the Privacy Act of 1974,\xe2\x80\x9d provides guidelines for system\n             security and addresses the importance of having audit trails of ail system activity.\n\nCause:       The Service Center had insufficient policies and procedures surrounding the\n             protection of the SYS1.MAN% datasets. Also, SMF record type 60 was not active\n             because Service Center officials said that they believed another software product\n             INFOPAC (report generation software) created too many records. They said,\n             therefore, that to reduce the amount of storage needed for SMF logs, record type 60\n             was not activated.\n\nEffect:      By allowing users \xe2\x80\x9calter\xe2\x80\x9d access to these logs, the risk is increased for the SMF logs\n             to be inaccurate. Furthermore, because record type 60 is not active, no system audit\n             trail exists to determine whether the changes to sensitive datasets by authorized\n             individuals are appropriate. Specifically, because the PAY/PERS application has no\n             internal security to monitor access and \xe2\x80\x98changes to its datasets, the Service Ctnter\n             relies only on RACF security. The active SMF record types identified only security\n             violations and did not record changes made to datasets. Therefore. rn the PAY/PERS\n             application, there was no system audit trail available to monitor and evaluate changes\n             made to PAY/PERS sensitive data.\n\n\n\n\n                                               12\n\n\n                                             41\n\x0c                                                                                    APPENDIX 2\n                                                                                    Page 15 of 26\n\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY __\n\nRecommendations\n\nWe recommend that the Director. Administrative Service Center :\n\n     1. Evaluate the feasibility of limiting the number of Service Center users who have access\nauthority to alter SMF logs.\n\n               Response\n\n               Complied. The evaluation was completed in December 1996 to limit the number of\n               individuals with access authority to alter SAF logs. This authority has now been\n               limited to just three senior level system programmers that reside in the System\n               Software Management Branch. The evaluation was completed by the Chief, Systems\n               Management Branch, the ASC Computer Security Manager and approved by the\n\n\n    2. Ensure that the SMF record type 60 logging is active or RACF settings are adjusted to\nspecifically audit critical datasets maintained on the mainframe computers and to therefore provide\nan audit trail of system activity.\n\n               Response\n\n               Complied. Batch and TSO type 60 records have always been written to the SMF log.\n               Type 60 record collection has now been activated for \xe2\x80\x9cstarted tasks\xe2\x80\x9d as well.\n\n\n\n\n                                                13\n\n\n                                               42\n\x0c                                                                                     APPENDIX 2\n                                                                                     Page 16 of 26\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nI.   \xe2\x80\x9cOPERATIONS\xe2\x80\x9d Attribute\n\nCondition:   The Service Center gave access to all of the operating system resources by assigning\n             the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute to 85 active Service Center user IDS without logging\n             the activities of these users. Through this access, users could make unauthorized\n             changes to the mainframe computer operating system and sensitive application\n             datasets without being detected by routine security controls.\n\nCriteria:    The RACF Auditor\xe2\x80\x99s Guide states that 3he OPERATIONS attribute allows a user\n              access to almost all resources\xe2\x80\x9d and that the \xe2\x80\x9cgroup-OPERATIONS attribure allows\n              a user access to almost all resources within the scope of the group and its subgroups.\xe2\x80\x9d\n              The \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute, with some exceptions, provides the user with full\n              control over datasets. Further. the RACF Security Administrator\xe2\x80\x99s Guide\n              recommends that the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute be assigned to a minimum number\n             of people and that the activities of the users be logged. RACF allows the use of more\n              restrictive authorities, such as DASDVOL authority, when routine maintenance\n              operations are performed. RACF security software also provides the option to log\n              activities of users with the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute by activating the OPERAUDIT\n              option.\n\nCause:,      The Service Center had not assigned more restrictive authorities to individuals who\n             performed routine system maintenance tasks because the Service Center had not\n             evaluated the system access authority needed for individual users in performing their\n             day-to-day functions.     Also, the Service Center had not implemented the\n             OPERAUDIT security feature in RACF that would log user activities as a result of\n             the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute.\n\nEffect:      Because the OPERAUDIT security feature had not been activated, any resource on\n             the mainframe computer could be accessed using the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute\n             without recording the user\xe2\x80\x99s access. This setting, along with the lack of system audit\n             trails that would be produced by the SMF 60 record type, increases the risk for\n             intentional or accidental unauthorized system actions to occur and not be detected.\n\n\n\n\n                                                14\n\n\n                                              43\n\x0c                                                                                 APPENDIX 2\n                                                                                 Page 17 of 26\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n    1. Evaluate the extent to which the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute should be available to Service\nCenter user IDS. Specifically, the use of other more restrictive RACF authorities (such as\nDASDVOL authority) should be considered where possible.\n\n              Response\n\n                Concur. An evaluation will be conducted to limit the \xe2\x80\x9cOPERATIONS\xe2\x80\x9d attribute to\n                those authorized ADP personnel deemed necessary and appropriate as well as\n                consider other more restrictive RACF authorities. Target date for completion is\n                December 31, 1997. The responsible official is the Chief, ADP Services Division.\n      ._                              ..                                                    ,..\n     2. Activate the security feature RACF OPERAUDIT and ensure that security personnel perform\nperiodic reviews of the resultant logs to identify unauthorized activity.\n\n              Response\n\n              Complied. The feature IUCF OPERAUDIT has been activated and the resultantlogs\n              will be reviewed on a quarterly basis by the ASC Computer Security Manager. It\n              should be noted that this situation is restricted to ADP authorized personnel only.\n\n\n\n\n                                               15\n\n\n                                             44\n\x0c                                                                                        APPENDIX 2\n                                                                                        Page 18 of 26\n\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nJ. ADP Access Levels\n\nCondition:    Users in the Service Center\xe2\x80\x99s ADP Services Division had significant access levels.\n              For example, 28 user IDS had RACF authority to emulate the master console, even\n              though the authority to issue operator commands through the TSO was not given to\n              these individuals. In addition 28 user IDS had \xe2\x80\x9calter\xe2\x80\x9d access to the system parameter\n              libraries (for example, the SYS1.PARMLIB) through the TSO.\n\nCriteria:      Offtce of Management and Budget Circular A-130 requires, at a minimum, that\n               agency programs incorporate controls such as \xe2\x80\x9cseparation of duties, least privileged,\n               and individual accountability\xe2\x80\x9d within their major applications.\n\nCause:         Because of other Service Center priorities. the group responsible for monitoring\n               security had not performed an audit of user access levels and therefore had not\n               identified the required necessary changes and had not ensured that user access wasat\n\n               procedures to ensure that \xe2\x80\x9cleast privileged\xe2\x80\x9d access controls and appropriate separation\n               of duties were in place.\n\nEffect:        By allowing significant access levels to critical functions, the risk is increased for\n               datasets to be altered without authorization and for the alteration to go undetected\n               by normal operating controls. Without periodic review of user access levels,\xe2\x80\x98the risk\n               is increased that the access given to a user will exceed that which is necessary to\n               perform the user\xe2\x80\x99s daily job.\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n     1. Ensure that the group responsible for monitoring security performs periodic reviews of user\naccess levels to identify required necessary changes and to ensure that user access levels are\nauthorized.\n\n               Response\n\n               Concur. A project to identify and initialize auditing for all critical sensitive dataset\xe2\x80\x99s\n               will be started. The target date for completion is June 30, 1997. The responsible\n               official is Chief, ADP Services Division.\n\n\n\n\n                                                  16\n\n\n                                                 45\n\x0c                                                                                          APPENDIX 2\n                                                                                          Page 19 of 26\n\nMAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY\n\n      2. Institute a policy of \xe2\x80\x9cleast privileged\xe2\x80\x9d access levels to ensure that access to resources and data\nis limited to those users who require such access.\n\n                Response\n\n                Complied. A policy of \xe2\x80\x9cleast privileged\xe2\x80\x9d access is now in place. While the capability\n                to emulate the master console is assigned to a few individuals, the ability to issue\n                critical operating system level commands has not been given. These commands are\n                limited to the master console which is located in a locked, secured computer room\n                accessible by authorized personneP onIy.\n\n\n\n\n                                                    17\n\n\n                                                  46\n\x0c                                                                                       APPENDIX 2\n                                                                                       Page 20 of 26\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nK. RACF Software Internal Controls\n\nCondition:    Responsibilities of the RACF security administrator (assigned the SPECIAL attribute\n              within RACF) had been combined with the responsibilities of the RACF auditor\n              (assigned the AUDITOR attribute within RACF). In addition, seven user IDS within\n              the Service Center had these combined attributes. This weakness was previously\n              identified in a March 1994 Office of Inspector General audit report (No. 94-I-357).\n\nCriteria:     The RACF Auditor\xe2\x80\x99s Guide addresses the importance of the separation of duties\n              between the security administrator and the auditor. The Guide states, \xe2\x80\x9cThe separation\n              of powers is necessary because it is the security administrator\xe2\x80\x99s job to establish RACF\n              controls, and it is the auditor\xe2\x80\x99s function to test the adequacy and effectiveness of these\n              controls. \xe2\x80\x9d\n\nCause:        Service Center officials stated that RACF security administrator and RACE-auditor\n              functions were performed by the same individual because of the limited number of\n              staff assigned to the group responsible for monitoring security. They further stated\n              that the Service Center had a limited number of individuals who had expertise in the\n              area of RACF administration.\n\nEffect:       The control over the RACF security administrator function is lost because there was\n              no systematic monitoring of this powerful function. Therefore, the risk exists for\n              accidental or intentional unauthorized actions that could disrupt informatiorrsystem\n              operations and threaten the integrity of the sensitive information.\n\nRecommendation\n\nWe recommend that the Director, Administrative Service Center, evaluate the staffing requirements\nof the group responsible for monitoring security to ensure the separation of duties within RACF.\n\n              Response\n\n              Concur. Staffing requirements will be evaluated to ensure the separation of duties\n              within RACF. Separation of RACF administrator and auditor responsibilities will be\n              accomplished to the maximum extent possible. However, combining these\n              responsibilities in isolated situations is necessary and will be managed accordingly.\n              Also, we disagree with the statement that this condition was caused by \xe2\x80\x9cthe limited\n              number of staff assigned to the group responsible for monitoring security.\xe2\x80\x9d This\n\n              this evaluation is September 30, 1997. The responsible official is the Chief, ADP\n              Services Division.\n\n\n                                                 18\n\n\n                                               47\n\x0c                                                                                      APPENDIX 2\n                                                                                      Page 21 of 26\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nL.   Authorization - Internal Controls\n\nCondition:     Mainframe access given to users as assigned in RACF was not always supported by\n               a formal request or was not recorded in the Service Center\xe2\x80\x99s Decentralized Security\n               .lidministration Facility.\n\nCriteria:      The Service Center\xe2\x80\x99s policy is for formal authorization requests to be obtained from\n               the designated security point of contact before users are permitted to access sensitive\n               data on the mainframe computer. In addition, the point of contact can orally notify\n               the Service Center for adjustments to the users9 access req.unements. Also, generally\n               accepted industry standards recommend that reconctliations exist between what has\n               been formally requested and what access level was actually granted to ensure that\n               mishandling, alterations, and misunderstandings are reduced.\n\nCause:         Orally requested access level adjustments that were approved were not always\n               recorded in the access request system because the Service Center did not always\n               enforce the procedures to record approved access level adjustments.\n\nEffect:        By not updating Decentralized Security Administration Facility records for\n               adjustments to accesses requested, the system administrator cannot reconcile the\n               formal authorization and the Decentralized Security Administration Facility records\n               with the RACF access levels assigned to users and thus ensure that access is assigned\n               at the appropriate level.\n\n\nRecommendation\n\nWe recommend that the Director, Administrative Service Center, document and implement\nprocedures to ensure that Decentralized Security Administration Facility records are updated for oral\naccess adjustments to allow for the reconciliation of access requested with access allowed.\n\n               Response\n\n               Nonconcur. We disagree there is a problem and question any adverse effect. Formal\n               requests for user access are made through client Security Points-of-Contact to the\n               ASC Security Manager. As users begin accessiig the system revisions to their access\n               are sometimes necessary in order to perform their duties. To expedite these revisions,\n               client Security Points-of-Contact may orally contact the ASC Security Manager.\n               Since only client and AS@ security offkials can effect these access revisions, we\n\n\n\n\n                                                 19\n\n\n                                                48\n\x0c                                                                             APPENDIX 2\n                                                                             Page 22 of 26\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\n       question any adverse effect as well as any benefit from retroactively requiring\n       additional documentation. Also, \xe2\x80\x9cgenerally accepted industry standards\xe2\x80\x9d are cited as\n       applicable criteria. As previously addressed in our response, discussions with the\n       auditors confirmed that a conclusive set of \xe2\x80\x9cgenerally accepted industry and\n       information system standards\xe2\x80\x9d were not available and the auditors were not aware as\n       to whether these \xe2\x80\x9cstandards\xe2\x80\x9d had ever been issued as official Government-wide\n       policy. The Department of the Interior\xe2\x80\x99s Office of Information Resources\n       Management likewise advised that they were unaware of these \xe2\x80\x9cstandards\xe2\x80\x9d and their\n       applicability to Interior organizations. Finally, we question the recommendation in\n       terms of consistency with OMB policies. Both OMB Circulars A-123 and A-130\n       recognize cost as an important consideration and require that agencies implement cost\n       effective management and internal controls. For instance, OMI3 Circular A-130\n       recognizes both risk and cost in addressing \xe2\x80\x9cadequate security.\xe2\x80\x9d Yet, discussions with\n       the auditors confirmed that cost was not considered.\n\n\n\n\n                                        20\n\n\n                                       49\n\x0c                                                                                     APPENDIX 2\n                                                                                     Page 23 of 26\n\n\nMAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY\n\nM. Computer Security Plan/Report\n\nCondition:     The Service Center had not developed a security plan for fiscal year 1996.\n\nCriteria:      The Computer Security Act of 1987 requires that all agencies improve the security\n               and privacy of sensitive information in Federal computer systems. Specificaliyy, the\n               Act requires that security plans be developed for all sensitive computer systems. A\n               computer security plan is designed to assist agencies in addressing the protection of\n               general support systems and major applications that contain sensitive information to\n               help ensure the system\xe2\x80\x99s inte@ty, availability, and confidentiality. In addition Office\n               of Management and Budget Circular A-130, Appendix III! states that agencies\n               without adequate security plans should consider classifying this as a material\n               weakness in their annual Federal Managers\xe2\x80\x99 Financial Integrity Act report to the\n               Congress\xe2\x80\x9d\n                                                                                     .\nCause:         A computer security plan was not prepared for fiscal year 1996 because of limited\n               staffing in the group responsible for monitoring security.\n\nEffect:        Without this plan the Setvice Center did not have adequate assurance that data in its\n               sensitive systems were adequately protected. In addition, the Service Center had a\n               material weakness, which should be reported in its annual Federal Managers\xe2\x80\x99 Financial\n               Integrity Act report to the Congress.\n\nRecommendation\n\nWe recommend that the Director. Administrative Service Center, provide resources to ensure the\ndevelopment of a computer security plan for the sensitive systems in accordance with the Computer\nSecurity Act and Circuiar A-130, Appendix III. Also, the lack of a security plan should be reported\nas a material weakness to the Department of the Interior for inclusion in its next annual Federal\nManagers\xe2\x80\x99 Financial Integrity Act report until a plan is developed and meets the requirements of\nCircular A- 130.\n\n               Response\n\n               Complied. A current computer security plan was documented and submitted in\n               January 1997 in accordance with Department of the Interior Office of Information\n               Resources Management requirements. The ASC has had an effective security\n               program in place that has included, for example, periodic reviews of security controls\n               in each major system as required by OMB Circular A-130. These reviews have\n               disclosed no significant security problems or deficiencies.\n\n\n\n\n                                               50\n\x0c                                                                                        APPENDIX 2\n                                                                                        Page 24 of 26\n\n\n\nCONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY\n\n.N.   Continuity of Operations Plan\n\nCondition:\n                not address recovery of one of the sensitive systems, the FFS; the LAN; and critical\n                telecommunications links. Also, the Plan had not been updated to reflect all tests of\n                the Plan completed in 1996. Additionally, the risk analysis, upon which the Plan is to\n                be based, had not been updated since July 1990.\n\nCriteria:       Office of Management and Budget Circular A-130 requires agencies to establish a\n                comprehensive contingency plan and periodically test the capability to perform the\n                agency function supported by the application, as well as critical telecommunications\n                links, in the event of a disaster or system failure. In order to accurately and\n                successfully test the disaster recovery capabilities, the disaster recovery plans need to\n                be updated as changes occur. In addition the Circular states that \xe2\x80\x9cmanual procedures\n                                                                                            .    _\n\nCause:          Service Center officials said that update of the risk analysis and continuity of\n                operations plan had low priorities. In addition, Service Center officials stated that the\n                FFS application was not included in the Plan as a result of Service Center clients\n                agreeing that FFS services could be delayed for 30 days because processing could.be\n                performed manually. However, we found no documentation of such agreements.\n\nEffect:         Ifthe Continuity of Operations Plan is incorrect (such as by not including all sensitive\n                systems) or is outdated, personnel required to perform the disaster recovery\n                procedures may not be able to recover critical systems in the event of a disaster or\n                                                                                                   .\n                system failure.\n\nRecommendations\n\nWe recommend that the Director, Administrative Service Center:\n\n      1. Perform a risk analysis of the Service Center\xe2\x80\x99s computer center and its applications.\n\n                Response\n\n                Complied. A risk analysis of the computer center was completed in November 1996:\n                The security plan calls for periodic reviews of security controls for major systems in\n                accordance with the requirements of OMB Circular A-130.\n\n\n\n\n                                                   22\n\n\n                                                 51\n\x0c                                                                                    APPENDIX 2\n                                                                                    Page 25 of 26\n\nCONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY\n\n    2. Update the existing Continuity of Operations Plan for the mainframe, sensitive applications,\nand telecommunications links so that the current operating environment is documented.\n\n               Response\n\n               Concur. The Continuity of Operations Plan will be updated for the mainframe,\n               sensitive applications and telecommunication links by September 30, 1997. The\n               responsible official is the Chief, ADP Services Division. It should be noted that we\n               believe this condition should have been more appropriately stated as a currency of\n               documentation issue. The ASC has addressed recovery of the Federal Financial\n               System and telecommunications although not formally documented. This will now\n               be documented as part of the update of the Continuity of Operations Plan.\n\n\n\n\n                                                23\n\n\n                                               52\n\x0c                                                                                     APPENDIX 2\n                                                                                     Page 26 of 26\n\n\nCONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY\n\n\n\nCondition:     No comprehensive business recovery plan had been developed for the Service Center.\n               The only plan in existence at the Service Center was the Continuity of Operations\n               Plan, which addressed only the recovery of the systems environment. The Plan did\n               not address business and user operations that need to be in effect for the Service\n               Center to support its clients in the event of a disaster or system failure.\n\nCriteria:      Office of Management and Budget Circular A-P30 requires agencies to establish\n               controls to ensure adequate security for all information processed, transmitted, or\n               stored in Federal automated information systems. In addition, generally accepted\n               information systems standards recognize that a comprehensive business recovery plan\n               is necessary to ensure the timely recovery of all business functions and of the systems\n               environment, both of which are critical for day-to-day operations, and to minimize\n                                                                                               __.\n\nCause:         The Service Center\xe2\x80\x99s emphasis was on the restoration of the mainframe environment\n               rather than on the recovery of business operations.\n\nEffect:        If a disaster or system failure occurs, the Service Center may not be able to recover\n               all business functions and systems necessary for the continued long-term operations\n               of the organization.\n\nRecommendation\n\n\nrecovery plan, which includes procedures for its business functions.\n\n               Response\n\n               Concur with intent. Although, we are not aware of any specific requirement for a\n               \xe2\x80\x9ccomprehensive business recovery plan,\xe2\x80\x9d we are willing to evaluate major operations\n               and business functions to ensure long-term sustainability. Completion of the\n               evaluation is targeted for March 31, 1998. The responsible official is the Chief,\n               Management Services Division.\n\n\n\n\n                                                 24\n\n\n                                               53\n\x0c                                                                        APPENDIX 3\n\n           STATUS OF AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n         Reference            Status                 Action Required\n\n\n\n\n                                            No further response to the\n                                            Department of the Interior Office\n                                            of Inspector General is required.\n                                            The recommendations will be\n                                            referred to the Assistant\n                                            Secretary for Policy,\n                                            Management and Budget for\n                                            tracking of implementation.\n\n                         Unresolved.        Reconsider the recommendation,\n          L.l                               and provide an action plan that\n                                            includes target dates and titles of\n                                            officials responsible for\n                                            implementation.\n\n\n\n\n                                       54\n\x0c\x0c\x0c'